GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
show comments
tiffanyh
Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
The security issue aside, seeing more companies push announcements like these on X as the only official source is a trend I'm not sure I like.
I can understand the rationale, this feels lighter and not something that belongs on status.github.com or the blog. Maybe what's actually missing is an official channel for ephemeral stuff on a domain they own, somewhere between a status page and a tweet? Just sharing an observation.
show comments
keyle
This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet.
For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
show comments
bananamogul
I have a hard time believing this because there was never enough GitHub uptime to carry out the attack.
Sympathy to engineers and everyone at github, it's good that they're being open even if findings are limited. I'm sure they will figure out the root cause and will publish results to be a learning experience for everyone else
All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware.
show comments
killingtime74
Time to switch to Gitlab, Bitbucket or self-hosted
shevy-java
As some of us stated in the last weeks: Microsoft is working hard to get people to reconsider GitHub. All those small issues keep on adding up. Something is seriously flawed at Microsoft here - those problems did not exist in that way 2 or 3 years ago. It coincides with the rise of AI.
surrTurr
"Someone broke into our house and we have no clue if they're still hiding under the bed or in the drawer. TV is gone."
mstank
Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable?
show comments
starkeeper
this is so amazing and brilliant display of the enshitification wow they won't fire the right people gauranteed maybe a slightly smaller ``bonus``
waynesonfire
Are they required to announce that they're being hacked in real time?
show comments
syngrog66
between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit
GitHub: "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
https://github.blog/
https://www.githubstatus.com/
The security issue aside, seeing more companies push announcements like these on X as the only official source is a trend I'm not sure I like.
I can understand the rationale, this feels lighter and not something that belongs on status.github.com or the blog. Maybe what's actually missing is an official channel for ephemeral stuff on a domain they own, somewhere between a status page and a tweet? Just sharing an observation.
This is bad. If they came out announcing this, without a long winded explanation and further details, it's because they're staring at a bottomless pit and they haven't put the lid on it yet.
For a Fortune 100, to go out of your way to spook investors is the least desirable approach.
I have a hard time believing this because there was never enough GitHub uptime to carry out the attack.
- Use Static analysis for GHA to catch security issues: https://github.com/zizmorcore/zizmor
- set locally: pnpm config set minimum-release-age 4320 # 3 days in minutes https://pnpm.io/supply-chain-security for other package managers check: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e...
- add Socket Free Firewall when installing npm packages on CI https://docs.socket.dev/docs/socket-firewall-free#github-act...
Sympathy to engineers and everyone at github, it's good that they're being open even if findings are limited. I'm sure they will figure out the root cause and will publish results to be a learning experience for everyone else
non-twitter link: https://xcancel.com/github/status/2056884788179726685#m
Is gitea any good?
https://pbs.twimg.com/media/HItbXhvW4AAMD8W?format=jpg&name=...
All of their repos have been copied and are up for sale. Attackers are TeamPCP, the creators of the Shai-Hulud malware.
Time to switch to Gitlab, Bitbucket or self-hosted
As some of us stated in the last weeks: Microsoft is working hard to get people to reconsider GitHub. All those small issues keep on adding up. Something is seriously flawed at Microsoft here - those problems did not exist in that way 2 or 3 years ago. It coincides with the rise of AI.
"Someone broke into our house and we have no clue if they're still hiding under the bed or in the drawer. TV is gone."
Is it just me or is this happening way more frequently in the last 4 or 5 months? Coincidently around the same time the models got a lot more capable?
this is so amazing and brilliant display of the enshitification wow they won't fire the right people gauranteed maybe a slightly smaller ``bonus``
Are they required to announce that they're being hacked in real time?
between all the Linux LPEs and Claude's known security flaws, alone, I'd be shocked if Github and Microsoft hadnt gotten hacked by now. reasonable bet we mainly hear it when big shops get bit
Mythos has broken containment